samba - Jul 2016 - winbind idmap_ad rfc2037 can't read UIdnumber

Le 05/07/2016 à 17:07, Rowland penny a écrit :
> On 05/07/16 08:33, Raphaël RIGNIER wrote:
>> Le 04/07/2016 à 20:09, Rowland penny a écrit :
>>> On 04/07/16 18:35, Raphaël RIGNIER wrote:
>>>> Hi samba team !
>>>>
>>>> I try to resolve for hours a problem I have with a Linux Host 
>>>> (Samba 4.3.9 ubutnu 16.04) as AD member.DCs are Windows 2008
R2,
>>>> One is 2012 R2. Forest level is 2003 R2.
>>>>
>>>> my smb.conf :
>>>> [GLOBAL]
>>>>         netbios name = CR-DEV-01
>>>>         security = ADS
>>>>         workgroup = ADDOMAIN
>>>>         realm = ADDOMAIN.COM
>>>>
>>>>
>>>>         idmap config *:backend = tdb
>>>>         idmap config *:range = 2000-9998
>>>>
>>>>         idmap config ADDOMAIN:backend = ad
>>>>         idmap config ADDOMAIN:schema_mode = rfc2307
>>>>         idmap config ADDOMAIN:range = 9999-999999
>>>>
>>>>         winbind nss info = rfc2307
>>>>         winbind enum users = yes
>>>>         winbind enum groups = yes
>>>>         winbind use default domain = yes
>>>>
>>>> 9999 start range is "Domain's user" GidNumber. To
have a default
>>>> primary group.
>>>> Shared uid and gid starts with 10000.
>>>>
>>>> The test for groups :
>>>> --------------
>>>> # net ads search '(SamAccountName=info2)'
samaccountname gidnumber  -P
>>>> Got 1 replies
>>>>
>>>> sAMAccountName: info2
>>>> gidNumber: 10002
>>>> ------------------
>>>> #  getent group info2
>>>> info2:x:10002:
>>>> ------------------
>>>> All is OK
>>>>
>>>>
>>>>
>>>> For the User, it is not working as expected :
>>>> -------------
>>>> # net ads search '(SamAccountName=b.btstest)'
samaccountName
>>>> uinumber gidnumber gecos -P
>>>> Got 1 replies
>>>>
>>>> sAMAccountName: b.btstest
>>>> --------------------------------
>>>> No uidnumber,gidnumber,gecos ?
>>>>
>>>> Same search with admin account :
>>>> ------------------------
>>>> net ads search '(SamAccountName=b.btstest)' 
samaccountName
>>>> uinumber gidnumber gecos -U administrator
>>>> Enter administrator's password:
>>>> Got 1 replies
>>>>
>>>> sAMAccountName: b.btstest
>>>> uidNumber: 13367
>>>> gidNumber: 10002
>>>> gecos: BTSTEST B
>>>> ---------------
>>>>
>>>> -----
>>>> #getent passwd b.btstest (no output)
>>>> ------
>>>> Winbind output
>>>> ------
>>>> getpwnam b.btstest
>>>> Could not convert sid 
>>>> S-1-5-21-4272071638-3509717963-3151537417-7471:
NT_STATUS_NONE_MAPPED
>>>> ----------
>>>> This is the same for all mapped AD users (3042 users).
>>>>
>>>> Does Winbind makes queries on DCs with machine account ?
>>>> Does that mean bad AD schema ?
>>>>
>>>> Strange behavior.
>>>>
>>>> Thanks for help.
>>>>
>>>
>>> What 'libpam-*' packages do you have installed ?
>>>
>>> What have you got in /etc/nsswitch.conf
>>>
>>> Rowland
>>>
>>>
>> AFAIK, libpam is not used at this stage of test. Only libnss_winbind 
>> should be used.
>> Here is the libpam list :
>>
>> ii  libpam-cap:amd64           1:2.24-12
>> ii  libpam-ck-connector:amd64  0.4.6-5
>> ii  libpam-gnome-keyring:amd64 3.18.3-0ubuntu2
>> ii  libpam-krb5:amd64          4.7-2
>> ii  libpam-modules:amd64       1.1.8-3.2ubuntu2
>> ii  libpam-modules-bin         1.1.8-3.2ubuntu2
>> ii  libpam-runtime             1.1.8-3.2ubuntu2
>> ii  libpam-systemd:amd64       229-4ubuntu6
>> ii  libpam-winbind:amd64       2:4.3.9+dfsg-0ubuntu0.16.04.2
>> ii  libpam0g:amd64             1.1.8-3.2ubuntu2
>>
>> pam_krb5 (my old auth method) is disabled via pam-update-auth
>>
>> my /etc/nsswitch.conf
>> passwd:         compat winbind
>> group:          compat winbind
>> #passwd:         compat ldap
>> #group:          compat ldap
>> shadow:         compat
>>
>> hosts:          files mdns4_minimal [NOTFOUND=return] dns
>> networks:       files
>>
>> protocols:      db files
>> services:       db files
>> ethers:         db files
>> rpc:            db files
>>
>> netgroup:       nis
>>
>>
>
> OK, everything looks correct there, but I have had a second thought, 
> you posted:
>
> net ads search '(SamAccountName=b.btstest)'  samaccountName
uinumber
> gidnumber gecos -U administrator
> Enter administrator's password:
> Got 1 replies
>
> sAMAccountName: b.btstest
> uidNumber: 13367
> gidNumber: 10002
> gecos: BTSTEST B
> ---------------
>
> -----
> #getent passwd b.btstest (no output)
> ------
>
> You also posted:
>
> # net ads search '(SamAccountName=info2)' samaccountname gidnumber
-P
> Got 1 replies
>
> sAMAccountName: info2
> gidNumber: 10002
> ------------------
> #  getent group info2
> info2:x:10002:
>
> Now if I do something similar:
>
> net ads search '(SamAccountName=rowland)'  samaccountName uidnumber
> gidnumber gecos -U administrator
> Enter administrator's password:
> Got 1 replies
>
> sAMAccountName: rowland
> uidNumber: 10000
> gidNumber: 10000
> gecos: Rowland Penny
>
> rowland at devstation:~/programming/git/samba-master$ getent group 10000
> domain_users:x:10000
>
> Have you changed the 'primaryGroupID' attribute for the users ?
>
> Rowland
>
>
The strange behavior is the different output between group object and 
user object

and
net ads search -U administrator
net ads search -P

in Samba Wiki, primarygroupid refers to the one for User's "Unix 
Attributes" tab. Which is in fact GidNumber. (I have made tests to check 
this)
The primaryGroupID attribute refers to Posix primary Group in user's 
"member of" tab. Which is a conversion from SID. Both are different 
numbers but points to same group.
I find this quite confusing.

On 05/07/16 17:56, Raphaël RIGNIER wrote:
> The strange behavior is the different output between group object and 
> user object
>
> and
> net ads search -U administrator
> net ads search -P
>
> in Samba Wiki, primarygroupid refers to the one for User's "Unix 
> Attributes" tab. Which is in fact GidNumber. (I have made tests to 
> check this)
> The primaryGroupID attribute refers to Posix primary Group in user's 
> "member of" tab. Which is a conversion from SID. Both are
different
> numbers but points to same group.
> I find this quite confusing
Sorry, but that doesn't answer the question, have you changed the users 
'PrimaryGroupID' attribute

If I do this:

rowland at devstation:$ ldbsearch -H ldap://dc1 -b 
'cn=Users,dc=samdom,dc=example,dc=com' -s sub 
'(&(objectclass=user)(samaccountname=rowland))' primaryGroupID -U 
Administrator
Password for [SAMDOM\Administrator]:
# record 1
dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
primaryGroupID: 513

# returned 1 records
# 1 entries
# 0 referrals

Which, as you can see, shows that my 'primaryGroupID' is set to
'513',
this is what it should be, this is the RID for 'Domain Users'

So if you run the command (making obvious changes for your setup), what 
do you get ?

To get winbind to return users when using the 'ad' backend, each user 
needs to have a 'uidNumber' containing a unique number inside the range 
set in smb.conf. You also need to give 'Domain Users' a
'gidNumber'
attribute containing a number inside the range set in smb.conf, this 
number can be the same as a user, but must be unique amongst groups.

 From this, I hope you can see that the users 'primaryGroupID' attribute
needs to contain the RID for 'Domain Users'.

Rowland

Le 05/07/2016 à 19:40, Rowland penny a écrit :
> On 05/07/16 17:56, Raphaël RIGNIER wrote:
>> The strange behavior is the different output between group object and 
>> user object
>>
>> and
>> net ads search -U administrator
>> net ads search -P
>>
>> in Samba Wiki, primarygroupid refers to the one for User's
"Unix
>> Attributes" tab. Which is in fact GidNumber. (I have made tests to
>> check this)
>> The primaryGroupID attribute refers to Posix primary Group in
user's
>> "member of" tab. Which is a conversion from SID. Both are
different
>> numbers but points to same group.
>> I find this quite confusing
>
> Sorry, but that doesn't answer the question, have you changed the 
> users 'PrimaryGroupID' attribute
>
> If I do this:
>
> rowland at devstation:$ ldbsearch -H ldap://dc1 -b 
> 'cn=Users,dc=samdom,dc=example,dc=com' -s sub 
> '(&(objectclass=user)(samaccountname=rowland))' primaryGroupID
-U
> Administrator
> Password for [SAMDOM\Administrator]:
> # record 1
> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> primaryGroupID: 513
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> Which, as you can see, shows that my 'primaryGroupID' is set to
'513',
> this is what it should be, this is the RID for 'Domain Users'
>
> So if you run the command (making obvious changes for your setup), 
> what do you get ?
>
> To get winbind to return users when using the 'ad' backend, each
user
> needs to have a 'uidNumber' containing a unique number inside the 
> range set in smb.conf. You also need to give 'Domain Users' a 
> 'gidNumber' attribute containing a number inside the range set in 
> smb.conf, this number can be the same as a user, but must be unique 
> amongst groups.
>
> From this, I hope you can see that the users 'primaryGroupID' 
> attribute needs to contain the RID for 'Domain Users'.
>
> Rowland
>
>
Sorry. Here is the result

ldbsearch -H ldap://10.11.1.3 -b "OU=USERS,DC=ADDOMAIN,DC=com" -s sub 
'(samaccountname=b.btstest)' primarygroupID -U administrator
Password for [ADDOMAIN\rignier]:
# record 1
dn: CN=BTSTEST B,OU=info2,OU=USERS,DC=ADDOMAIN,DC=com
primaryGroupID: 513

# returned 1 records
# 1 entries
# 0 referrals

My PrimaryGroupID is indeed 513. I have tried the 'info2' RID, without 
more success so back to 513.